pam-krb5 3.6 released

Nicolas Williams Nicolas.Williams at sun.com
Wed Sep 19 17:57:15 EDT 2007


On Wed, Sep 19, 2007 at 08:06:42PM +0100, Markus Moeller wrote:
>  Did you have a chance to look at the keytab verification problem I 
> mentioned some time ago ?  Right now you need to have a host/fqdn entry to 
> verify the tickets, but this means the application needs to run as root 
> (Assuming verify_ap_req_nofail is set to true which I think should be the 
> default for pam anyway)

Solaris PAM requires that PAM functions be called with all [zone]
privileges asserted.  It's a very good simplifying assumption that PAM
modules will need privilege, and PAM being pluggable, the framework and
the application cannot know a priori which privileges a module might
need.  I would apply the same constraint to Linux-PAM.

Applications like screen savers must either be part of the trusted base,
and setuid or what-have-you, or they must be able to use a helper
process to handle authentication.

Nico
-- 



More information about the Kerberos mailing list